Nobody likes passwords. If you use the same one everywhere, a single slipup can give a thief access to all your information. If you make your passwords unique, you’ll have so many you’ll have to rely on your Web browser to remember them.
Pokai Chen and Meng-syun Tsai, computer scientists at National Chiao Tung University (NCTU), based in Hsinchu, Taiwan, think the solution is to revert to the days when the only ID you ever needed was your signature. They’ve come up with an app that lets you log in by drawing your signature—or anything else, really—in the air with your smartphone.
The app, called AirSig, has been available since September on Google Play. In mid-October it won first prize in the Cloud Innovation and Application Contest sponsored by Taiwan’s Ministry of Economic Affairs.
AirSig, a form of gesture recognition, grew out of research the pair did at NCTU. There are several other academic groups around the world that have explored the idea, but with less success.
Chen says that sensors embedded in the phone’s handset can catch and recognize a signature in the air, though he wouldn’t reveal which sensors the app relies on and for what. Most smartphones now include a 3-axis accelerometer, a gyroscope, and a compass, and some are starting to come equipped with air-pressure sensors.
In experiments, AirSig took only 0.1 second to recognize a signature—100 times as fast as the best performance of a similar system reported in 2011 by a team at Universidad Politécnica de Madrid [PDF]. The Taiwan group also found there was a 0.63 percent chance that a user’s signature could be falsely rejected. However, it would be almost impossible to hack this system, Chen says, because the false acceptance rate was also very low—0.97 percent. The team got that figure by observing 32 people who tried mimicking a signature 20 times after seeing someone sign a name once.
The results are favorable compared with what the Spanish team was able to achieve. Using a biometrics measure called the equal error rate, which allows comparisons of error rates across methods, AirSig scored 0.8 percent versus the Spanish system’s 2.8 percent.
The 0.8 percent equal error rate is “absolutely amazing,” says Lin Zhong, a computer scientist at Rice University who has done research on gesture recognition using mobile devices [PDF]. And the number also points to a clue about AirSig’s inner workings. “I guess they used both accelerometers and a gyroscope. In our work, we only used the accelerometer, because gyroscopes had not appeared on phones back then,” he says. “The gyroscope definitely will help the accuracy.”
According to Chen, the app’s ID authentication technology is secure because it considers what you know (your signature), who you are (the particular way you sign your name), and what you have (your own smartphone with the app) at the same time. “The in-air signature is highly safe because it will stay unknown to others forever if it has never been revealed,” and even brute-force attacks would not be able defeat it, Chen says.
By comparison, Chen says, thieves can trick Apple’s iPhone 5s Touch ID by lifting a fingerprint or using the finger of the phone’s unconscious owner. In fact, in September, just a few days after the release of the iPhone 5s, the Chaos Computer Club, a group of hackers based in Berlin, claimed it had hacked the iPhone’s fingerprint reader. A report by the market research firm IHS iSuppli estimates that the Touch ID fingerprint sensor costs US $7. “Compared to the cost for Apple to adopt Touch ID technology…using our technology to secure a smartphone leads to no extra hardware cost,” Chen says, adding that it should be relatively easy to build an iOS version of AirSig.
About the Author
Yu-Tzu Chiu is a Taipei correspondent for Bloomberg BNA. She has chronicled Taiwan’s tech policies for IEEE Spectrum since 2000. In February 2013, she reported on a way to use brain activity to predict whether a new online game would be a hit or a flop.